FirstBlood-#204 — Info leak that leads to non admin login
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-12, d20s84 reported:
Private code(invite key) is readily available in reddit forum that can be used with availabe doctor names in order to login credentials .
- Open the reddit link to obtain the private key : https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/
- Browse to the endpoint : /doctors.html to obtain doctor's name. They can be used as usernames .
- feed the credentials to /register.php. Boom !!! The login credentials to non administrative accounts are provided.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.